2.8 LOGGING
2.8 LOGGING
This section covers how to configure Red Hat 7.3 to increase the security of the subsystems related to logging. Steps in this section include configuration of what messages will be logged, where the messages will be sent, and how often the log files will be rotated . Additional related steps that will be presented are configuring automatic review of log files and synchronization of the system clock.
2.8.1 syslogd
Messages from daemon processes running on a Linux system are sent to the syslogd daemon. Each message has two properties, facility and level, that respectively describe what subsystem sent the message and how important the message is. How the logging daemon handles each message is determined by the /etc/syslog.conf file. Choices for handling messages include sending the message to a local log file, to the console or a local TTY, or to one or more currently logged in users, or to a remote log server.
Note that sending a copy of log messages to a remote log server helps to preserve a record of an intruder's activity when a system is compromised. While an intruder commonly erases or modifies local system logs to cover their tracks, they do not have the ability to do so on a remote syslog server unless they can break into that system as well.
2.8.1.1 Replace the Default Configuration File for the syslogd Daemon (/etc/syslog.conf) with a More Secure Configuration File
The syslog.conf in Appendix B ensures that important messages are recorded. The configuration also causes messages stored to the local file system to be segregated into subsystem specific log files. This makes each log file more readable and increases the chances that anomalies will be noticed when reviewing a log file.
2.8.1.2 Restart the syslogd and Ensure That It Is Configured to Run on Boot
Force the syslogd daemon to reload its configuration file:
[root@localhost]# /etc/init.d/syslogd restart
Make sure the syslogd is configured to start automatically on boot:
[root@localhost]# /sbin/chkconfig --level 2345 syslog on
2.8.1.3 [Optional] Verify the New Configuration
The logger utility installed with the util-linux package can be used to send a log message to an arbitrary facility and level. Use this feature to verify the configuration. For example, the command
[root@localhost]# /usr/bin/logger -p mail.info "Test mail log message"
should result in a line similar to the following being added to the /var/log/maillog
Aug 10 10:22:14 root: Test mail log message
Be aware that the implementation of logger does not enable sending messages to the kern facility.
2.8.2 logrotate.d
The /etc/logrotate.conf file contains the default options for rotation log files. These options may be overridden for a specific log file by modifying the files in the /etc/logrotate.d directory.
2.8.2.1 Edit the Default Configuration File for the logrotate Daemon (/etc/logrotate.conf) to Keep Log Information Longer
As installed, logs will be rotated weekly and saved for only four weeks. Edit the file /etc/logrotate.conf as shown in the table below so that important information about system events will be preserved longer. This will increase the likelihood that problems or suspected intrusions will be detected . Note that even though old logs will be compressed, a year's worth of log data may still be large. Be sure to monitor the available disk space for the partition where logs are being stored (typically /var).
| Default setting | Secure setting | Reason |
|---|---|---|
| weekly | monthly | These changes result in saving logs for a year instead of a month, providing longer accountability. |
| rotate 4 | rotate 12 | |
| #compress | compress | To conserve space, compress old logs |
2.8.2.2 Update the Configuration File That Controls Rotation syslogd Files (/etc/logrotate.d/syslog)
The syslog.conf file installed in Step 2.8.1.1 will result in the creation of the additional log file /var/log/kernel for all systems. Furthermore, if any of the lines in that file specific to servers are uncommented, other log files will also be created. The name of all new log files must be added to the list of files at the beginning of /etc/logrotate.d/syslog so the new logs will also be rotated.
2.8.2.3 [Optional] Verify That Log Rotation Is Configured Properly
Use the ˜-f flag with the logrotate command to force the log files to be rotated. New log files should be created and no errors should occur.
[root@localhost]# /usr/sbin/logrotate -f /etc/logrotate.conf
2.8.3 logwatch (http://www.logwatch.org)
The best logging configuration is rendered useless if the information in the logs is never reviewed. The logwatch application will automatically parse log files, attempt to remove entries that report normal activity, and send an alert email containing the unexpected entries. Edit the line in the file /etc/log.d/logwatch.conf line beginning with MailTo and change the user root to the email address of the person in charge of monitoring logs.
2.8.4 ntpd (http://www.cis.udel.edu/~ntp)
Configure the Network Time Protocol (ntp) server daemon to synchronize the system clock with three public NTP servers. This will enable a system administrator to reliably coordinate events from log files on this system with events from log files of other systems on the Internet.
2.8.4.1 Locate Three Public NTP Servers and Add Them to /etc/ntp.conf
Visit http://www.eecis.udel.edu/~mills/ntp/servers.html, select three public servers geographically nearby, note their IP addresses and obtain permission from their administrators. Edit the /etc/ntp.conf file and replace the line that begins "server 127.127 " with one line for each public server:
server 10.0.0.1 # IP address of public server 1 server 10.0.0.2 # IP address of public server 2 server 10.0.0.3 # IP address of public server 3
2.8.4.2 Restart the NTP Daemon and Ensure That It Is Configured to Run on Boot
Force the ntpd daemon to reload its configuration file:
[root@localhost]# /etc/init.d/ntpd restart
Make sure the ntpd is configured to start automatically on boot:
[root@localhost]# /sbin/chkconfig ---level 2345 ntpd on
EAN: 2147483647
Pages: 39